The law firm of Davis Wright Tremaine announced that the U.S. Department of Justice (DOJ) recently issued an internal opinion limiting DOJ criminal prosecutions under the federal health privacy law, the Health Insurance Portability and Accountability Act (HIPAA). The DOJ Opinion was leaked to the Internet, see http://www.worldprivacyforum.org/pdf/hipaa_opinion_06_01_2005.pdf.
In sum according to the law firm, the DOJ Opinion limits prosecutions to:
• “covered entities,” that is, health care providers, health plans (e.g., insurers), health care clearinghouses, and sponsors of Medicare prescription drug cards;
• certain directors, officers, and employees of such covered entities who may be criminally liable “directly” “in accordance with general principles of corporate criminal liability” (little explained in the DOJ opinion); and
• those third parties who cause, aid or abet, counsel, command, induce, procure, or conspire with, a covered entity to act (through employee conduct imputed to the entity in certain circumstances) in violation of HIPAA, liable under “principles of aiding and abetting liability and of conspiracy . . . .”
The DOJ Opinion leaves much unsaid. Although federal prosecutors likely will act with caution in applying its guidance, prosecutors retain the ability to prosecute parties outside of covered entities, depending on the applicable facts.